Threat Profile Example (Simplified)

a7705501c5e216b56cf49dcf540184d0
C2
Overview
HTTPS on port 443 Cobalt Strike
Beacon with a five-minute callback time.
Calling directly to threat-owned domains. TTPs (Enumeration, Delivery,
Lateral Movement, Privilege Escalation,
etc.) Assumed Breach Model, no initial delivery via exploitation. POST- exploitation via Cobalt Strike commands. Enumeration and lateral movement via Cobalt Strike and native
Windows commands. Privilege escalation limited and determined POST- exploitation.
Exploitation
Assumed Breach Model, no exploitation.
Persistence
User-level persistence using Microsoft
Outlook rule triggered by specific email.
The above is a simplified example profile from an actual Red Team engagement. This engagement was one part of a series of assessments designed to test a Blue Team’s capability of detecting and profiling a threat. It required the use of defined and specific TTPs. This is the heart of threat emulation. Defining the profile allowed all parties to be on the same page. At the end of the assessment, the profile was shared with the Blue Team members to assist the discovery anything that may have been missed. This provided defenders with the information needed to identify any gaps in their TTPs, which greatly helped them improve.
The process of decomposing a threat involves. Research of existing threat. Breaking down the key elements of a threat profile. (description, goal and intent, key
IOCs, C overview, exploitation, and persistence. Recomposing the threat in the form of a profile using information learned and filling gaps with alternate TTPs (MITRE ATT&CK is a great source to help fill these gaps)

Download 4.62 Mb.

Share with your friends: